Unpacking TrickBot Banker

Source: 2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a

Steps:
(1) Dump the injected process using Immunity Debugger;
(2) Rebase and obtain a TrickLoader‘s injected executable from memory;
(3) Find host-based and network protocol artifacts;
(4) Decode the config finding by advapi.dll’s CryptDecrypt API

<mcconf>
	<ver>1000002</ver>
	<gtag>tmt2</gtag>
	<servs>
	<srv>91.219.28.77:443</srv>
	<srv>193.9.28.24:443</srv>
	<srv>37.1.209.51:443</srv>
	<srv>138.201.44.28:443</srv>
	<srv>188.116.23.98:443</srv>
	<srv>104.250.138.194:443</srv>
	<srv>46.22.211.34:443</srv>
	<srv>68.179.234.69:443</srv>
	<srv>5.12.28.0:443</srv>
	<srv>36.37.176.6:443</srv>
	<srv>37.109.52.75:443</srv>
	<srv>27.208.131.97:443</srv>
	</servs>
	<autorun>
	<modulename=“systeminfo“ ctl=“GetSystemInfo“/>
	<modulename=“injectDll“/>
	</autorun>
	</mcconf>

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this:

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

	Peter Kruse on Let’s Learn: In-Depth on…
	mark Johnson on Malware Traffic Internals: Bla…
	Passion on Let’s Learn: In-Depth Re…
	Unknown on Programming Challenge in …
	Hung-Ting on Installing Cuckoo Sandbox on M…

Share this:

Like this:

Related

Leave a Reply Cancel reply